Vendor Accent

Adapting security to looming challenges

Organisations must operate in a co-ordinated manner to stop attacks, and control network activity and applications better, says Jagdish Mahapatra.

In June 2004, a large number of robots or bots attacked Google, Yahoo, and other major Web sites blocking access to these sites for two hours. Security experts were able to identify the bot network, or botnet that appeared to be operating and managed to shut it down, stopping the attack.

Rogue developers create such threats by using worms, viruses, or application-embedded attacks. With botnets, for example, rogue developers can use worms or application-embedded attacks. This is an attack that is hidden within application traffic such as Web traffic or peer-to-peer shared files, to deposit Trojans. This combination of attack techniques—a virus or worm used to deposit a Trojan, for example—is relatively new and is known as a blended attack.

The evolving perimeter

Changes in network architectures and evolving threats create new security challenges. Also, the concept of the network perimeter is changing. In the past, users could only access the network through a few ingress or egress points, usually where the Internet connected to the enterprise network. Enterprises stacked security at the Internet perimeter using firewalls and intrusion detection systems (IDS). However, today, many more means of gaining entry to the network exist. With the perimeter having been extended and distributed, security too needs to be applied at each of these new ingress and egress points to avoid damaging threats, thus complicating security architectures.

Take, for example, Virtual Private Networks (VPNs). These allow enterprise users remote access to the corporate network and are much more widely used than just a few years ago. While previously enterprises might have insisted that VPN software run on a specific enterprise-configured computer, today, users run VPNs from their own PCs or even from kiosks at copy centres or other businesses. This phenomenon allows many more entry paths to the enterprise network and presents a significant challenge to IT departments. Is the computer equipped with virus protection? Is the virus software current? Did a worm become embedded in the computer?

Or for that matter, lets look at wireless. Do wireless LANs (WLANs) pose additional security challenges. Users operating on an unsecured wireless network at a local coffeehouse may be unaware that a rogue PC, also using the same wireless subnet, is depositing a virus on the PC. When that PC is later docked into the corporate network, the virus could gain entry into the network.

Security: Moore’s Law in reverse

At the same time, as the network is becoming more vulnerable to attack because of the expanding number of points, the threats themselves are changing. In addition to Trojans and botnets, newer, even more dangerous threats lurk. Two of the most troublesome are flash threats and self-mutating worms. Flash threats are so named because of the speed with which viruses or worms can spread. In 1999, a virus dubbed Melissa, one of the earliest and most widespread viruses at the time, took 16 hours to spread globally, according to Network Associates Inc. In January 2003, the Slammer virus managed to infect more than 90 percent of the vulnerable hosts worldwide within 10 minutes, using a well-known vulnerability in Microsoft’s SQL Server. New viruses in the coming months and years are expected to spread even faster. Therefore, whatever defences organisations create, it must be able to identify the threat and respond faster than before.

The other looming threat is the self-mutating worm. Today’s worms are relatively unintelligent. They are programmed to follow a specific set of instructions, such as to infiltrate one machine through a specific port and once on the machine compromise it in some way, for example, causing a buffer overflow and planting a Trojan. If anything interferes with these planned instructions, the worm lacks the ability to adjust and dies. Now, however, rogue developers are adding intelligence and logic to worms so that if they can’t complete a specific task worms can mutate and pursue other lines of attack.

Experts call this security dilemma, the Moore’s Law in reverse. Whereas Moore’s Law postulates that processor performance will double every 18 months while costs decline dramatically, security is moving in the opposite direction—networks are becoming less secure while the cost to defend them is increasing.

New threats = increase in manageability?

The current security defence paradigm is to deploy more and more of the existing security technologies throughout every segment of the network. This includes firewalls and ACLs to block access and perform application inspection, intrusion protection system (IPS) technology to provide granular traffic inspection and identify known threats, encryption software to counter eavesdropping, anomaly detection to detect worms or DoS attacks, and anti-virus software to battle viruses.

Many of today’s security technologies were developed to perform their specific function with little context of the overall network threat environment. Operating alone, however, these technologies are less effective in stopping the newer attacks, as well as changing ways in which users access networks, because of the security gaps that exist between each technique’s capability. With the increased complexity of threats, such as blended threats that use a combination of techniques to disrupt networks, corporates must operate in a co-ordinated fashion to stop attacks and control network activity and applications better.

Unfortunately, over the years, many companies have addressed nagging security concerns by constantly adding devices and software to address each particular problem. This has led to separate anti-virus protection, firewalls, VPNs, and intrusion prevention systems. While this addresses the short-term needs, it creates an entirely new and bigger problem: managing multiple systems that operate independently of one another. As more advanced threats emerge, there is a need for network security to become more holistic; organisations must act in co-ordination to detect and defend against more sophisticated threats. There is a growing need for devices that can assemble the pieces of the puzzle and lock down the gaps that exist in conventional network security systems.

Adaptive security for a changing world

Transforming chaos into a clear and a manageable security policy is essential. Future network security systems need to focus on convergence and consolidation. In network security, a proactive approach is critical. The idea is to accurately identify and stop attacks as early and as far from the destination host as possible, while simultaneously simplifying the security architectures required to do this. Converging numerous security functions into a single adaptive device or system enables these combined functions to operate as a co-ordinated defence (instead of silos) that stop a broader range of attacks and greatly reduce the number of diverse devices that must be deployed, thereby simplifying security design and management.

Historically, firewalls have been considered fairly simple devices, but they are effective at what they do: either block a packet or let it through based on Layer 3 and Layer 4 information and session state. They can provide some level of application inspection but do not perform the detailed inspection of some other technologies. An IPS device can pick up where a traditional firewall leaves off by peering more deeply into a packet’s contents to see whether the data within conforms to company policy. But IPS devices lack the breadth of mitigation actions and resilience of a firewall that network security administrators require. Combined, however, a firewall and an IPS device can be more effective than either one by itself.

An additional limitation of IPS devices, however, is that while they have a fine-grained view of network traffic, they are signature-based; that is, they must receive updates that tell them what to look out for. Signature updates can take from 24 to 48 hours, making them ineffective against tomorrow’s flash threats. This is where network anti-virus software comes in, with its dynamic outbreak prevention updates. Anti-virus software can be updated quickly and can disseminate the information rapidly through an infrastructure to all endpoints. If this infrastructure is merged with IPS and firewalls, companies gain more than just the power of each: they now have a security threat defence system, a way to rapidly update information and deeply analyse packets for identification of worms and viruses, as well as the firewall capability to block those packets from entering the network and a solution that is highly resilient. This type of systems approach transforms security from operating as separate siloed technologies in a reactive mode, with limited and static detection methods, to functioning as a co-ordinated, proactive threat defence system that adapts to the threat environment.

These systems provide numerous benefits: improved detection, greater event classification accuracy, lower operating costs, streamlined administration, and services extensibility that integrates the most advanced security technologies as they are developed. Most importantly, these converged systems will not compromise the quality of security in any given category, but instead combine the strength of each in complementary ways to deliver a tighter, co-ordinated defence.

The author is Regional Manager, Channels, Cisco India & SAARC.

He can be reached at mjagdish@cisco.com